• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Help from security gurus?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Help from security gurus?

  • Subject: Re: Help from security gurus?
  • From: Mai Nguyen <email@hidden>
  • Date: Mon, 15 Aug 2011 13:27:39 -0700
Hi Chuck,
I found the culprit.
If by any chance, you have an Ajax type which starts with a <script> and preceding the Ajax element, you have a malicious script, then that script would be executed.

The thing is to prevent it completely, but even scrubbing it may still get executed in Javascript, as the Javascript parser is active. So it is better not to have any script at all, and do it some other way.

thanks,

mai
On Aug 15, 2011, at 10:47 AM, Chuck Hill wrote:

> Hi Mai,
>
> I am confused.  That HTML looks like it was added on the server.   Are you using an Ajax component that is adding this to your page?
>
>
> Chuck
>
>
> On 2011-08-12, at 4:57 PM, Mai Nguyen wrote:
>
>> Hello,
>> I am really baffled at how someone can insert a <A target> link into the following WebObjects page:
>> .....
>> <td> &amp;#x5b;Enter brief description of issue&amp;#x28;s&amp;#x29;&amp;#x5d;
>>                <br/>
>>                 <a href="javascript:void(0);" onClick="show_summary(this); return false;">Show Summary</a>
>> 				&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
>> 				<A target="[Enter brief description of issue(s)]" onClick="window.open('/cgi-bin/WebObjects/MyTestApp.woa/1/wo/TTx5ltJlAYLbrboJWoAQyw/4.0.19.13.7.11.1.5.7.7.3.1.11','[Enter brief description of issue(s)]','toolbar=no,location=no,status=no,menubar=no,resizable=yes,scrollbars=yes,width=900,height=600'); return false" href="/cgi-bin/WebObjects/MyTestApp.woa/1/wo/TTx5ltJlAYLbrboJWoAQyw/4.0.19.13.7.11.1.5.7.7.3.1.11">Show Details</A>
>>                </td>
>> ......
>> All input fields are verified and sanitized.
>>
>> Could someone inject this <A> link from the above onClick="show_summary()" java script?
>>
>> Many thanks for your advice,
>>
>> -mai
>
>
> --
> Chuck Hill             Senior Consultant / VP Development
>
> Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems.
> http://www.global-village.net/products/practical_webobjects
>
>
>
>
>
>
>

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Help from security gurus? (From: Mai Nguyen <email@hidden>)
 >Re: Help from security gurus? (From: Chuck Hill <email@hidden>)

  • Prev by Date: Re: Help from security gurus?
  • Next by Date: D2W And ERAttachment
  • Previous by thread: Re: Help from security gurus?
  • Next by thread: Jars in frameworks and Eclipse
  • Index(es):
    • Date
    • Thread